Skip to content

MSPs, MSSPs, and ESPs under CMMC

 

Learn about MSPs, MSSPs, and ESPs under CMMC, do they need to be CMMC Certified, the Shared Responsibility Matrix, ESP Scoping, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What is an External Service Provider (ESP) under CMMC? 

 

An External Service Provider under CMMC is any external organization, including people, technology, or facilities, that an organization utilizes for the provision and management of information technology or cybersecurity services, and whose assets or personnel process, store, or transmit CUI or Security Protection Data (SPD) in support of the contractor’s CMMC compliance environment, as defined in 32 CFR Part 170 and the CMMC Scoping Guides. 

The key threshold for ESP status is whether CUI or Security Protection Data, such as log data, configuration data, or vulnerability scan results, flows to the external provider’s assets or personnel. If a third-party provider delivers IT services but never handles CUI or SPD, they are not an ESP under CMMC and are not subject to ESP-specific requirements. 

Common ESP categories include: managed service providers (MSPs) that manage in-scope IT infrastructure; managed security service providers (MSSPs) that operate security monitoring tools; cloud service providers (CSPs) that host CUI; and co-location facility operators hosting in-scope systems. Each ESP type carries different CMMC requirements depending on what they handle and how they interact with the contractor’s CUI environment.

 

What is the difference between an MSP and an MSSP under CMMC? 

 

A Managed Service Provider (MSP) under CMMC is a third-party organization that manages an organization’s general IT infrastructure and operations, including networks, servers, endpoints, and cloud environments, while a Managed Security Service Provider (MSSP) specializes specifically in cybersecurity services such as security monitoring, threat detection, incident response, and compliance management. 

Both are ESPs when their services involve access to CUI or Security Protection Data, but their roles in the compliance ecosystem differ. An MSP managing in-scope IT infrastructure typically has administrative access to CUI Assets and Security Protection Assets, making its practices and systems subject to CMMC assessment requirements alongside the contractor’s own environment. An MSSP operating security tools such as a SIEM, endpoint detection and response (EDR), or vulnerability scanner handles Security Protection Data and is similarly in scope. 

Both require a Shared Responsibility Matrix (SRM) documenting which NIST SP 800-171 controls each party is responsible for implementing. Neither an MSP nor an MSSP can assume CMMC compliance obligations on behalf of the contractor, the Organization Seeking Certification (OSC) remains accountable for all 110 controls. 

 

Does my MSP need to be CMMC certified if it manages my CUI environment? 

 

Summary: Whether your MSP needs independent CMMC certification depends on how the ESP’s role is handled in your assessment: under the CMMC final rule (32 CFR Part 170), an ESP that handles CUI can either obtain its own independent CMMC certification at the required level or be included within the scope of the contractor’s own CMMC assessment. 

If the MSP is included within the OSC’s assessment scope, the C3PAO evaluates the MSP’s controls and practices as part of the contractor’s assessment, both organizations collectively demonstrate that all 110 controls are met. This avoids the need for the MSP to undergo a separate independent certification. However, the OSC must ensure the MSP is willing and able to participate in the assessment process, provide evidence, and cooperate with assessor interviews and technical testing. 

If the MSP prefers to be assessed independently, they can obtain their own CMMC Level 2 certification, which then satisfies their portion of the contractor’s requirements. Regardless of approach, the contractor must obtain and maintain a Shared Responsibility Matrix from the MSP documenting which controls each party owns. 

 

Can an MSP or MSSP fulfill CMMC compliance obligations on behalf of my organization? 

 

An MSP or MSSP can support, implement, and help manage CMMC security controls, but the Organization Seeking Certification (OSC) remains solely accountable for all 110 NIST SP 800-171 Rev 2 requirements and all 320 assessment objectives under CMMC Level 2. Compliance obligations cannot be transferred, outsourced, or delegated to a service provider. 

This was explicitly confirmed by the Cyber AB in its April 2025 Town Hall. If a C3PAO identifies a gap during an assessment, the OSC will receive the finding regardless of whether the gap lies in a control area the MSP or MSSP was supposed to manage. Service providers can implement technical controls on behalf of the contractor, manage security tools, assist with documentation, and provide evidence for assessments, but the contractor’s senior official affirmation in SPRS represents the contractor’s personal certification of compliance, not the MSP’s. 

Contractors cannot assume that hiring a CMMC-compliant MSP makes them compliant. The contractor must understand what controls the MSP covers, verify that coverage through a Shared Responsibility Matrix, and be able to demonstrate the implementation during assessment. 

 

What is a Shared Responsibility Matrix (SRM) and when is one required? 

 

Summary: A Shared Responsibility Matrix, also called a Customer Responsibility Matrix (CRM), is a formal document explicitly mapping each of the 110 NIST SP 800-171 Rev 2 controls to the party responsible for implementing it, the contractor, the ESP, both jointly, or neither, and it is required whenever an organization uses an External Service Provider in its CMMC compliance environment. 

The SRM serves multiple purposes: it ensures every control has a clearly designated owner and no control is left unaddressed due to ambiguity; it provides the contractor with a defensible, documented record of how controls are distributed; and it is an evidence artifact that a C3PAO will review during assessment. 

Cloud service providers offering government cloud platforms, including Microsoft for GCC and GCC High, and AWS for GovCloud, publish responsibility matrices that contractors can use as a starting point. When using an MSP, the SRM must be negotiated and signed by both parties, customized to the specific services provided. An SRM that lists all controls as MSP responsibility without the MSP holding CMMC certification or being included in the assessment scope does not satisfy CMMC requirements. 

 

What is Security Protection Data (SPD) and how does it affect ESP scoping? 

 

Security Protection Data is data associated with security protection functions, such as log files, system configuration data, vulnerability scan results, network traffic captures, and security event data, that flows to or through an External Service Provider’s assets or infrastructure, and whose presence triggers ESP scoping requirements even if the ESP does not directly handle CUI. 

An MSSP that collects and analyzes security logs from a contractor’s CUI environment handles SPD, those logs may contain security-sensitive information about the CUI environment’s configuration and activity. The MSSP’s handling of that SPD makes it an ESP in scope for the assessment. 

Under the CMMC final rule, if an ESP handles only SPD (and not CUI), its services can be assessed within the OSC’s assessment scope rather than requiring a separate independent certification. The distinction between CUI-handling ESPs and SPD-only ESPs affects how the assessment boundary is drawn and documented in the SSP. 

 

What CMMC requirements apply to cloud service providers (CSPs) used by my organization? 

 

Summary: Cloud service providers whose offerings process, store, or transmit CUI on behalf of a defense contractor must either hold an active FedRAMP Moderate (or higher) Authorization to Operate (ATO) or provide documented evidence of FedRAMP Moderate equivalency assessed by an accredited FedRAMP 3PAO, as required under DFARS clause 252.204-7012 and the CMMC regulatory framework. 

A CSP that handles only Security Protection Data rather than CUI itself can have its services assessed within the contractor’s CMMC assessment scope rather than needing independent FedRAMP or CMMC authorization. The contractor must obtain the CSP’s Shared Responsibility Matrix to understand which security controls are inherited from the cloud provider versus which controls the contractor must implement. 

All customer-managed controls in the cloud environment must be fully implemented and documented in the contractor’s SSP. The contractor must verify the CSP’s FedRAMP authorization status on the FedRAMP Marketplace (marketplace.fedramp.gov) before placing CUI in any cloud service and must update the SSP when cloud services change.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties